On Monday, March 13, 2017 at 5:07:42 AM UTC-4, Jean-Philippe Ouellet wrote:
> On Mon, Mar 13, 2017 at 5:04 AM, Jean-Philippe Ouellet <[email protected]> wrote:
> > On Mon, Mar 13, 2017 at 2:29 AM, InfusingPrivacy 
> > <[email protected]> wrote:
> >> 1. Is there a guide on how we can harden the netvm? How can I view what 
> >> default services, files, ports/remote access are enabled on the default 
> >> netvm and how make my hardening customizations to the netvm permanent? I 
> >> mainly want to make sure the netvm has no remote filesystem access from 
> >> the internet (i.e. ssh, ftp, etc); the only 'access' should be from dom0.
> >
> > You should do your firewalling, etc. in sys-firewall rather than
> > sys-net. This is because sys-net has a higher chance of being
> > compromised via vulnerable wireless card drivers or malicious wireless
> > card firmware, and you would not want that compromised sys-net to be
> > able to turn off your firewall! ;) This is the reason sys-firewall
> > exists as a separate domain behind it.
> 
> Likewise, when you are running "high-risk" (complex) protocol parsers
> (like tcpdump, wireshark, etc.), it is preferable to do so in sys-net
> (or a cloned sys-net based on a template with such tools installed)
> rather than sys-firewall, because it is desirable to protect
> sys-firewall from such attack vectors.

Ok; thanks for all of the information! It was very helpful!

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to [email protected].
To post to this group, send email to [email protected].
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/2d35829e-ea9b-4009-9041-2896c110ac87%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

Reply via email to